Hacker, Researcher, and Security Advocate

Category: Community

Two intersecting road signs saying Fake and Original

Ethics in Cybersecurity Marketing – Principles of Value Contribution

Ethics in Cybersecurity Marketing is a topic of hot debate among many security practitioners. Cybersecurity vendors are often criticized for how the marketing campaigns they deploy, the promises they make and the practices they use to reach members of the community.

Recently, the cybersecurity community (and I in particular) was the victim of unethical content marketing on the part of an organization we should be able to trust. EC-Council was recently discovered to be publishing blogs that were, in the opinion of a lawyer I spoke to, plagiarized from security and technology experts. One such work was my blog, “What is a Business Information Security Officer (BISO)”. What follows is a description of the events and what I believe needs to be done to correct this horrific trend.

BISO - Business Information Security Officer, white text on black background

The Saga Begins

The recent revelation with EC-Council began on Sunday, June 20, 2021. While performing a Google search to pull the Featured Snippet that had previously been attributed to my BISO blog, I discovered it was no longer connected to my blog. This is normal. Google updates their featured snippets all the time based on content they crawl from the web. However, what caught my eye was that the text of the snippet appeared to be the content from my blog but attributed to a different site.

Looking deeper I found that it was attributed to a blog on the EC-Council website. The preview text, defining what a BISO is, was almost verbatim the same as my blog with only a couple words changed. I went and reviewed the blog in detail and discovered it was a direct copy of my blog, re-worded in many places to disguise where the content had come from. Additionally, a quote from another technology professional (which I would later discover was taken from another site) and some marketing fluff for one of their certifications had been added to the end.

Notification to EC-Council and Social Media

I was hurt, I was angry, I also felt betrayed. You see, in April of 2021, I worked with EC-Council to help them address issues of misogyny and sexism that had come to light. Despite many who expressed a bad feeling about the organization, I tried to give them the benefit of the doubt and a chance to change their ways. Seeing my work plagiarized in this way was another sign to me of the disrespect EC-Council shows to the community they purport to serve. Additionally, by doing this, they had pulled traffic away from my blog where I also seek to foster interest from those looking to hire me as a public speaker.

Google search results showing EC-Council copied blog #1 and original #2
The Google search results showing the previews of my blog and the stolen content on Sunday, June 20.

I immediately sent messages via both LinkedIn and email to EC-Council’s CEO, Jay Bavisi. I also began collecting evidence and posted links to Twitter and LinkedIn to get others’ opinions of what had occurred. This was all early afternoon, Central Time, on Sunday.

The social media posts blew up. Comments, retweets, reshares, and many direct messages expressing anger with EC-Council, and support for my efforts to call out their behavior. At 5:20PM CDT, Mr. Bavisi responded to me indicating that they would investigate. At 8:33PM he responded again stating they would take down the blog while they continued investigating. At 9:35PM I was finally able to confirm that the blog had been removed from their site.

A Pattern of Behavior

For the next 48 hours the only activity was the ongoing discussion on social media. I heard nothing from EC-Council. However, I was informed that my story had been added to a growing list of misdeeds by EC-Council that have been captured on the website attrition.org. Then I received a reply from another member of the Twitter community who had found another instance of an EC-Council blog that appeared to be plagiarized from another source. Over the course of the next hour, I and this individual identified three more blogs, for a total of five blogs, that appeared to be works of plagiarism as well. I reached out to the owners of the original works and was able to confirm with at least 2 of them that they had not provided EC-Council with permission to use and modify their work.

How did we find them? Well it was quite easy honestly. You see, despite efforts to change the wording in an attempt to obfuscate where the content came from, there are always crucial key terms or phrases that can’t really be changed. So all it took was selecting a blog from the EC-Council blog site, finding a few of those key terms or phrases, and then plugging them into Google. Typically the source content showed up somewhere in the first five results. A quick read of the content side-by-side confirmed the overwhelming similarities. From there the process was the same. Save documentation, confirm it was logged in the WayBack Machine at archive.org and then share to social media.

You can find copies of the screenshots taken of each blog for your own comparison in this GitHub repository.

Goodbye EC-Council Blog

Sometime after 9:35PM CDT on Tuesday (when I contacted Mr. Bavisi again regarding the additional evidence), the EC-Council blog website was taken off-line in its entirety. Requests to the blog site were redirected to their home page. In the very early hours of Wednesday morning, EC-Council published a formal statement.

EC-Council Statement announcing the removal of their blog and the publishing of non-original works

It was a complete word salad of legalese. The only mention of the term plagiarism was them insisting they use anti-plagiarism tools. Instead, they referred to the blogs as lacking proper source citation and “closely aligned” in format. Even an apology offered at the very end was full of caveats to ensure there was no admission of actual guilt. As of the writing of this blog, that is where things stand. No personal apologies have been issued, and no other contact or acknowledgement on the part of EC-Council has occurred.

Damage to the Community

The point of this blog isn’t to attack EC-Council however, it’s to use this example to highlight a bigger issue that is growing in the cybersecurity space. Unethical marketing behaviors such as this have sown considerable distrust between security practitioners and the vendors we rely on to supply the defensive tooling and education we need. In EC-Council’s case, they are an organization that serves to educate and certify the skills of cybersecurity professionals. Yet, despite including the word “ethical” in the title of one of their most well-known certifications, their marketing behavior fails to live up.

Not only have actions like this crushed the critical trust that the cybersecurity industry relies on, it also hurts content creators like me who try to share our knowledge to help educate others. The message from this incident is that content creators have to go to ridiculous lengths just to defend our rights. Otherwise, when companies choose to steal our content for their own commercial gains, it’s hard to locate and counteract.

Content Marketing Requires Investment

Based on my time spent creating content for content marketing campaigns, I have a theory that I believe is the likely cause of the issue at EC-Council. All too often, content marketing will hire professional writers who are not domain experts to create new online content. This is ok if it is done correctly. By that I mean the writers act in a ghost writer capacity. They sit down with proven experts to gain enough knowledge and unique perspective to write content on that expert’s behalf. Additionally, they are provided with research tools to further gather enough information to write a quality piece.

The problem manifests when these writers are given aggressive timelines and little access to expertise and research materials. When they’re forced to simply Google for a search term that they want to target, and use the results to craft new content. This creates a situation where the temptation is great to simply leverage someone else’s work to knock out the content quickly.

Organizations need to understand that hiring non-expert professional writers is not a way to cut costs. They should be hired for their skill in writing and then empowered and enabled with the necessary support. Trying to hire professional writers without domain expertise and thinking they can simply learn from Google searches is a recipe for this kind of disaster. Organizations need to support their content marketing efforts with real investment in quality and expertise. There simply is no other way.

Content Requires Stringent QA

If you are going to publish content to your site, that means you have a duty to other content creators. Your duty is that you must ensure your authors aren’t posting plagiarized material. Simply running an automated tool clearly isn’t enough. As described above, despite EC-Council’s claims that they ran a tool, the effort to find plagiarized material was quite trivial.

You need humans that review your blogs. You need to not only ensure accuracy and valuable content, but also that it wasn’t stolen. There simply is no replacement for a human review that can inherently detect when the voicing of a piece doesn’t match that of the author.

Further, organizations need to have a culture with core values and practices that reject such unethical behaviors. If your culture is lax or uncaring, patterns of behaviors like those shown above will inevitably emerge. Organizations need to instill accountability and expect excellence from their employees. Engage with them, support them, and work with them so issues like these cannot persist.

Looking to the Future

I have no clue where EC-Council will go from here. I have no interest in being involved in anyway with their organization. Not even their CISO Mag publication, or their Hacker Halted series of conferences. However, for other organizations out there, take a good hard look at your content marketing practices. Win over customers and advocates for your products and services by providing meaningful and valuable contributions through your content. Offer unique insights, share new perspectives, or highlight practical applications of your solutions to real cyber security problems. Don’t steal and regurgitate the original and thoughtful work of others as a way to capitalize on others’ expertise.

We need trust among the members of our community. Its the only way we can gain the trust of the businesses we’re trying to defend. It’s time that cybersecurity vendors mesh profits and ethical behavior into a singular business vision. That is the path forward that we need.

Alyssa on-stage at RSA

Don’t Tap That Mic

Top 1o tips for working with production crews as a speaker

A colleague and I were recently talking about the bad habits we’ve seen from speakers at various conferences. This led to a deeper discussion on the importance of the production teams at these events. I think for many speakers the production teams are taken for granted. Many speakers that I’ve observed behave in ways that make it more difficult for production to do their job.

The Speaker’s Biggest Ally, Until You Screw it Up

As a former Front-of-House engineer, I have a special appreciation (as well as insight) into the world of the production crew. Any member of the production team that takes their job seriously will likely agree that the core value of their job is to make the talent look and sound their best. They are there to ensure the success of the event and that all begins with the talent. Whether it’s a speaker, a band, or actors in a play, we spend a lot of money on lights, audio reinforcement and staging to achieve this goal. Ultimately, even in the most hostile room, they are the ones that are on your side, unless you give them reason not to be.

This is why it is disturbing to me when I see speakers who behave in ways that frustrate or work against the production team’s efforts. I don’t think it’s typically because the speakers are jerks, they’re just unaware. Unfortunately, while no production staff will ever work against the speaker, if you refuse to work with them, there are things they’d like to do for you that they simply can’t. If you insist on doing things your way, that may break the methodology they follow and as a result, your presentation may suffer. So I hope sharing my perspectives from both production and speaking sides of this equation will be helpful.

1. Know your venue

One of the primary tips I always share with speakers is show up at your venue ahead of time, if possible the day before, and get a lay of the land. Check out where the stage is, how big it is, where projection is happening and how. Is it front projected, rear projected, and LED screen? Each of these can affect how you move and present from stage. Even if the event provides you a room/stage layout, it’s important to see it in person first.

As an example of why this is important, I’ll share a personal experience. I was recently speaking at a very large conference. Based on all the info I was provided before the event, I was expecting to be in a small breakout room with a single front-projected screen and a smaller stage. However, the day before my presentation, I stopped by the room and discovered the stage was fairly large, had a massive LED screen with multiple Picture-in-Picture frames that would have my presentation, lots of stage lighting, and great audio system. In short, it was the equivalent of keynote stage. As a result, I was able to work with the production crew to change the approach to my presentation a little so I could take full advantage of what was a very exciting stage.

2. Introduce Yourself to Production

Going along with the topic of knowing your venue, get to know the production team in advance. Find someone during a break between speakers and introduce yourself. Personally, my intro is usually something like this: “Hi I’m Alyssa and I’m speaking on this stage tomorrow, is there anything you think I should know?” This is a great way to not only introduce yourself but also show the production team that you are a killer professional and ready to work with them. You’ve now told them you’re open to their direction and ideas on how to make your talk a success.

Production teams very much appreciate a speaker who does this. Whether it’s a massive keynote stage or a small 50 person break-out, they know that venue better than you. They’ve watched speakers work in there and they know what mistakes or issues can come up. They’ll arm you with information that will help you be your best, so listen up and work cooperatively with them.

3. Prepare for What Can Go Wrong With Your Presentation

When you introduce yourself as I suggest, the smart production team will not only answer your question but ask you in return what you want them to know. Think proactively. Does your presentation have a video or audio? Make sure they know this and have a way to get that audio to their system. Do you have special needs for the layout of the stage? Now is the time to ask if any modifications can be made. Be ready to be told no. Sometimes there are just things that seem like they should be easy from your perspective but there may be logistical, safety, or even contractual reasons why they cannot accommodate your request.

Before you even go to your venue, be aware of what the technical challenges might be in your presentation. Production crews will do their best to work with you given the tools they have at hand, but they need to know what’s coming. This can pay dividends during your presentation. At a recent conference, I had a video that played as part of my presentation. All presentations were pre-loaded on their systems and videos had to be fired separate of the Power Point by the production team. I had a discussion with the production team about my video. As a result, they knew it was coming. This paid off because I ended up cueing them to run the video a slide too early. Instead of letting me stand there like a dork with no video running, they flexed, played the video, and let me play catchup with my slides. As a result it was very smooth and no one in the audience was any the wiser.

4. Use Your Microphone Properly

This is a pet peeve of mine and I think for most production team members. Speakers, you need to understand how different microphones are designed to work and use them appropriately. You also need to understand that the available equipment is what’s available. It’s not an insult to you if you don’t get the kind of microphone you want. Unless you’re booking a $20K speaking gig with a rider that specifies a specific microphone, get over it if you have to use a wired handheld instead of the wireless lavalier (Lav) that most speakers appreciate. So let’s break this down by microphone type.

The Handheld Mic

We all know the hand held mic. Whether corded or wireless, these are easily recognizable. However, for many speakers, myself included, they can be inhibitive to our speaking style. However, sometimes that’s just want you have and as a stage performer (yes that is what you are as a speaker) you must be flexible and adapt.

Picture of a wireless handheld microphone
Handheld microphones are the most common and easily recognized microphones

The key thing with handheld mics, whether wired or a wireless transmitter, is that they’re designed to be held close to your mouth. Like really close. Not so close that your lips touch them (that’s just gross) but if you hold it down at your chest level, you’re fighting against the audio engineer. It’s now impossible for them to make you heard without running into feedback problems. So hold the mic close to your mouth if it’s a hand held. Be cognizant that if you take the mic away from your mouth to gesture, no one can hear you anymore. So yeah, you’ve got to keep that mic hand in a pretty static position.

The Lavalier (Lapel or LAV Mic)

Most speaker’s favorite is the lavalier mic. This is that little clip on mic that allows you to have your hands completely free to do anything else. However, you’ve got to be aware as a speaker how these wonderful little inventions work. Unlike the handheld, these are not designed to be held close to your mouth, in fact they’re not designed to be held at all, so don’t! Work with the production crew to place the mic in an appropriate place and just leave it there. I’ve seen speakers who want to hold it in their fingers and talk directly into it. This makes your audio engineer’s life hell and causes you peak or clip, which sounds bad and can actually damage the audio system.

Lavalier microphone and transmitter pack.
Lavalier (Lav) mics are great for allowing a speaker to be hands free but you need to be careful.

Also be aware of your gestures when wearing a lavalier mic. They’re placed on your clothes in a strategic place by or at the recommendation of your audio crew. However, if you bump or catch the mic while gesturing you can knock it loose which can affect your volume level, create large transient sounds that can damage the audio system, or you can even damage the microphone itself. So while it’s great to be completely hands free, you still need to be aware of where that microphone is and function accordingly.

The Headset Boom

Growing in popularity, especially with some speakers, is the the headset boom. These are those mics that hang from one or both ears, or maybe an overhead strap, and place the mic nice and close to your mouth. Look at images from large keynote addresses and you’ll see these in use a lot. The big advantage of this design is that there is far less chance of you knocking the mic or having your clothes move in a way that affects it’s positioning.

Tan colored head set micropphone
Headset boom microphones are becoming increasingly popular with speakers.

These mics are obviously designed to be very close to your mouth. However, they operate from the side of your mouth in many cases and are not designed for direct input. In other words, they should not be handheld and spoken into directly as this will again cause issues with peak levels and a very frustrated audio engineer. Once your production person has helped you place the mic, again leave it alone. Don’t adjust it or move it around. They put it where it will work best, trust in their abilities or ask them if you think it needs to be moved for your comfort. Finally, sometimes these mics can be challenging in that if they’re not well secured (sometimes with tape) they can move around. This is especially true if you are very animated and moving about. So work with the production team, particularly if you’re a big mover, to make sure the mic is secure and stable.

For mics of any Type

As the title of this blog says, do not, under any circumstances, tap, hit, or blow into the mic. These actions can damage the delicate pickup in the microphone and can cause destructive audio transients that are harmful to the rest of the downstream audio equipment. If you want to see if a mic is hot, speak into it. If you feel self-conscious about speaking into it (you are a speaker, right?) then simply click your tongue or make another audible noise. In my somewhat humble opinion, nothing says amateur quite like a speaker who abuses a microphone to check if it is hot. As a former audio engineer, nothing was more irritating than this behavior. No audio engineer wants to watch their expensive equipment being abused. Don’t even get me started with the idiotic idea of “drop the mic”. If you don’t have thousands of dollars to replace it, treat it like what it is, someone else’s property that you’re borrowing.

5. Trust Your Volume To the Audio Engineer

I see this one way to often with unskilled speakers. They grab a handheld mic, hold it properly (close to their mouths) begin speaking and freak out about how loud it sounds. They then immediately hold it at chest level and now the audio engineer has to chase their levels the rest of the way just to make them barely audible to the audience. The moral of this story, use proper mic technique and let the audio engineer adjust the volume at their end. Sometimes what seems too loud to you is actually perfect for the audience to hear you. If it’s too loud, the engineer will adjust the levels, that’s their job. But don’t make their job harder by changing the input level and not giving them enough to work with. If there’s feedback, count on them to fix that too. Do the little things like not walking in front of the speakers, but otherwise leave it up to them to fix the feedback. It’s likely not a volume but rather an Equalizer problem anyway.

6. Plan Your Wardrobe

This is one of those items that speakers often get wrong. When we think about stage wardrobe, most speakers think in terms of dressing for impact. That’s great. You need to look good for your audience and you want to wear something that fits with the setting and will make you memorable. However, there is a production component that needs to be considered as well. Plan your wardrobe to make the production team’s job of positioning your microphone easy.

For instance, will you be using a lavalier mic? If so, plan for where that mic go. The goal is to get the lav mic as close to center under you chin as possible. Wearing a v-neck or button down shirt makes this really easy. Even crew necks on t-shirts or sweaters work pretty well. Avoid shirts or blouses that have ruffles or other loose material around the neckline. Don’t plan to hang a lav mic on the lanyard from your even badge. Honestly you shouldn’t be wearing a badge while you’re up speaking anyway.

Also be aware of your jewelry. If you’re using a lav mic, having a dangling necklace that with make noise and contact the microphone is problematic. Dangling earrings can be of particular issue if you’re using a headset mic. Finally, be aware that with wireless headset and lav mics, you also need a place for the transmitter pack to go. This can be particularly problematic when wearing a dress. Without pockets or a waist band, I’ve seen women have to clip the pack to the back of their neckline. Trust me, that is not comfortable when you’re speaking. So think strategically about what you wear in terms of accommodating production needs in addition to your visual impact goals.

7. Don’t Lie in Your Sound Check

A common joke among audio engineers is that everyone lies in sound check. The audio engineer asks the talent to speak so they can get levels adjusted and the speaker comes out with a very timid and quiet voice. Then the speaker walks on stage and opens the talk with a boisterous, energetic greeting. Now the engineer is scrambling to re-adjust the levels to keep your mic from clipping or worse yet damaging their gear.

We don’t always get the opportunity to sound check as speakers. Smaller breakout stages might not afford us this opportunity. But when you do find that situation where you have a moment to help the engineer prepare audio levels, try to tell the truth. Get yourself in character for a moment and work to replicate the level of volume and energy that you typically use on stage. This makes their job easier and now you look (or more importantly, sound) your very best.

8. Early is On-time, On-Time is Late

Save your production crew, and yourself, some stress and anxiety (we all have enough of that) and be early to your presentation. Coming in two minutes before your start time is a terrible way to start or build the relationship with your production team. If they’re sweating whether the next speaker is going to arrive for their slot, they won’t be in the best of moods when you finally come strutting in. If they’re not in good moods, and if you’re scrambling at the last minute, that’s an equation for a terrible speaking experience. These are professionals you’re dealing with but they’re also human.

They have a job to keep things on time as well. So when a speaker walks in for their 2:00PM session at 1:59PM, that creates problems. It’s almost a guarantee you will not be able to get your computer hooked up, video working, get mic’ed up, get announced, and start on time at 2:00PM. They can pull out a lot of stops but they are not miracle workers. You need to do your part as a professional to help the event you’re representing create a good experience for the attendees. Remember them? They’re the ones paying to support the event, they’re the ones that expect to get something out of the experience. In short they’re the ones that matter the most! No one, not even the most world renowned keynote speaker, is bigger than the event itself. Don’t fall into that line of narcissistic thinking.

9. Know Your Rig

Unless you’re a largely sought after keynote speaker, you’re likely using your own computer for a lot of your speaking engagements. Spend some time getting to know how it functions technically. Know how to separate the audio from the HDMI output. Most situations have a separate aux cable for audio. Know how to leverage duplicated displays versus extended displays. Be aware of what video and audio outputs you computer has and get a collection of the necessary adapters to cover other options. Don’t count on the AV team to have these for you.

Ultimately, the production crew are highly skilled individuals who know audio, lighting, and a whole host of other elements that go into producing an event. More often than not however, they are not computer or projector experts. They’ll do everything they can to help you out, but the more knowledge you have of your own hardware and software, and how to configure it when things go wrong, the better chance you’ll have of being successful.

10. Be Respectful

I feel like this should go without saying but I’ll say it anyway. The production team can be your very best friends on your speaking engagement. They want to ensure your success but they do have jobs to do. Be mindful. If it’s a big production team and they’re wearing headsets, there are conversations going on in their ears all the time. They may have to interrupt you to respond to someone who is calling them, unaware that they are talking to you. Additionally, trying to have a conversation with the audio engineer while there is someone active on stage is a high risk activity. They may ask you to come back during a break as they need to focus on that speaker. Understand that especially in breakout rooms where you may only have one production person, they’re being asked to fill a lot of roles at once (audio, visual, stage manager, etc.).

In that vein, try to have some empathy for these folks that see hundreds of speakers a month. Things that highly urgent to you are probably pretty routine to them. It doesn’t mean they have a right to treat you poorly, but when they don’t react with the same level of urgency you’re expecting, understand that may be why. I might simply be they’ve got a plan to address the problem and it truly isn’t as big an issue as it seems.

So be a team player. Remember the production team is there to ensure your success and thereby the overall success of the event. If you work against them, you’ll all have a bad day. However, if you’re cooperative and professional in your approach, they’ll help ensure you look like the superstar that you are!!

Three women at a table, possibly a job interview

A Promotions Gap

Are expectations in promotion helping fuel the “Skills Gap”

Search job postings and you’ll find there are plenty of companies bragging about how they invest in their people. Internally, organizations like to boast about having a culture of promoting from within. Indeed, there are no shortage of articles touting the value of internal promotions processes. Yet, I must wonder if these words translate into action. While I’m still gathering the data in my surveys, some respondents have also reached out to me directly to share their stories. Quite a few tell me about how difficult it is to transition internally into security-related roles.

Initially, this might seem anecdotal. Without analyzing objective data, it can be dangerous to draw conclusions. However, the stories I hear are numerous and I have also witnessed and experienced similar situations. How many of these companies that claim to prioritize developing and promoting their own people, actually walk that walk? I’m beginning to believe the percentages aren’t that good.

What it means to promote from within

Establishing a culture of promoting from within requires more than mere words. In fact, failing to credibly back up such claims with actions can be detrimental to employee engagement. It’s more than simply having a process for employees to internally search and apply for jobs. It requires a commitment to your people. This commitment requires a few things:

  • Truly investing in the skills development of your people
  • Changing the way you evaluate candidates for available opportunities
  • Shedding the idea of “critical” roles that lead to external hiring

Over my 25 years in professional roles, I’ve seen the good and the bad. I’ve watched companies provide training with no clearly defined path for career advancement. I’ve experienced hiring searches that failed to accurately assess the potential of internal candidates. I’ve even been witness to hiring practices that deemed a role too “critical” to take a chance on elevating an internal employee. These are mistakes and they lead to long timelines to fill crucial positions while also devaluing existing employees.

Quote by Richard Branson about taking chances on people and promoting from within.
Investing in employee development

I’ll start with the concept I believe is probably most easily understood. I also believe, again based only experience and hearsay, that it is the one that gets the most effort. Employee development is a concept that’s gotten increased attention in the last decade or so. More and more, organizations are coming to understand the business value of developing their employees.

Training seems to be one of the key areas that gets the focus when we talk employee development. Many organizations have formal training programs, invest in e-learning technologies, and some even set aside specific per-employee training budgets. This is great, however it only scratches the surface of what is necessary. To truly develop your employees means preparing them for their next role and providing a clear vision of what that next role can be and how they can get there.

This requires active leadership participation. It requires the organization first and foremost to have mature job descriptions and provide clear expectations. Human Resources professionals can often tell you stories of struggling to get support for this foundational element. Taking the next step of succession planning is also crucial. How will a role be filled when it becomes vacant? Leaders should constantly be working to identify “who’s next”. Ultimately, that succession planning then has to lead to action. Leaders need to be grooming those planned successors. Empowering employees through challenging assignments that provide visibility into key aspects of what that next role entails. Sadly these last two steps are often neglected or avoided all together.

So succession planning and development requires us to identify candidates by potential. That leads into the second point, we need to think about our people and how they fit open roles in a different way.

Evaluate talent differently

This is a concept that from my experience needs a lot of attention in most organizations. If an company is looking to fill a role, how they assess the internal candidates needs a unique approach. Far too the same experience and skills based lens is used for both internal and external candidates, but that just doesn’t work. When evaluating external candidates, a reasonable mix of experience that matches the job role is expected. For instance, the expectation that a candidate for a senior manager or director role has previous “managing managers” experience. However, the same bar cannot be used for internal candidates if you’re invested in developing your people.

Internal candidates are often direct reports of the role being filled or moving into that role from another area of the business. So it can’t be expected that they’ll have the experience of someone whose worked that role before. Organizations need to assess internal candidates based on potential. But how does the leadership team assess potential. The Harvard Business Review published a terrific article on this in 2017. The basic premise is leaders need to be constantly aware of those employees whose performance consistently elevates that of those around them. It’s a combination of ability, drive, and social skills that should be prioritized above past experience or demonstrated role-specific skills.

Unfortunately from the stories I’ve heard, my own experiences, and indeed the glut of open security-related leadership roles currently on job boards, companies are failing in this crucial aspect. And it also leads to the third point.

No role is THAT critical

I’ve watched numerous internal security candidates get rejected or ignored and jobs posted externally because the role was deemed “too crucial”. In particular within security, there seems to be a belief that certain roles are so important that the organization must find a “step-in” candidate (someone who’s done it before and can step in and run with things day one). The problem is this prolongs the candidate search in two ways. First, it eliminates the majority of high performing internal candidates who could be very successful in the role. Second, it shrinks the available pool of external candidates since, as studies show, the majority of job seekers are looking for new challenges. Few are going to be attracted to a job doing what they’ve already been doing already.

Promoting from within requires the understanding that high-performing candidates thrive in critical roles that stretch their skills or demand them to develop new skills. Pushing back on or ignoring internal candidates because a role is “too critical” to fill internally tells your teams a lot about how much you value their skills and abilities. It says you don’t trust them, you don’t believe in them, and that the only jobs they’re qualified to fill are somehow less crucial. This is not how you create a culture of committed high performance.

About that skills gap…

When I see security roles open for long periods of time, it causes me to question the organization. Sure many jobs need to be filled externally, especially with growing companies that are seeking to add resources. But when there’s a role that sits open for 6 months, a year, or longer, especially if it’s a senior or leadership role, one has to ask “are there no internal high-performers who could step into that role?” The broader question becomes once again, are we experiencing a skills gap, or are we just looking for the wrong skills or in the wrong places?

** Footnote: Some may take issue with certain aspects above in the context of equal employment opportunity requirements and such. Nothing I’m suggesting above is in conflict with those requirements, I simply didn’t go the extra mile of explaining how as that a lengthy discussion on its own.

Source code on laptop screen with keyboard visible as well

An Exciting Start to 2020

New Year Brings Change, a New Role with a New Company

In a previous post I announced that I would be leaving my current role shortly after the new year. On New Year’s Eve it seems appropriate to share with you the other half of that story. It’s time for me to announce where I’m going and what I’ll be doing.

So let me get right to the point. I’m excited to announce that I’ll be joining Snyk Ltd. as an Application Security Advocate. Snyk develops software and performs research to help organizations find, fix, and monitor vulnerabilities in open source dependencies of their code. In my new role, I’ll be socializing strategies for how organizations can ensure security of open source dependencies. My focus will be on interaction with development and business leaders. I’ll be working to bring greater awareness of how open source challenges can be addressed.

A focus on new responsibilities
Snyk Logo on a blue background

I’m truly excited to have the opportunity to re-focus on Application Security. Those of you who know my background understand that AppSec has always been my core strength. In this new role, I’ll be primarily responsible for key activities for which I have tremendous passion. Those will include creating content and various public appearances to drive the open source security and DevSecOps message.

Passion and vision

I’m really looking forward to joining Snyk. I believe in their vision of solving the challenges around open source dependencies. Their focus on research and integration as part of a DevSecOps approach really resonates with me. Their strong and steady growth model also means that I’ll have the chance to grow my career equally as dynamically. So in the end I feel like this is the right role at the right time for me.

I appreciate all the support I’ve gotten over the last year from my security community. 2019 was a phenomenal year for me personally. I look forward to continuing my growth in 2020. Happy new year to you all and I look forward to seeing where we can take our security community in the new decade.

Alyssa Miller giving a keynote presentation

Closing Out 2019 and Looking Ahead

Announcing a new development as 2020 approaches

Looking back at 2019, it has been a tremendous year for me from a personal and career development perspective. I’ve been very fortunate to elevate my involvement in the security community. I’ve documented much of it in this video I made in response to a challenge from Jane Frankland. Looking ahead to 2020, I have many new opportunities on the horizon that are very exciting. However, first I need to say goodbye to 2019.

The Announcement

As 2019 comes to a close, so does my time working for CDW. I made the decision to leave my role in their security practice and begin a new exciting chapter in my career. I’ll save the announcement about that until shortly after the new year. For now, I want to reflect back on how amazing this, somewhat brief, chapter of my life has been.

Over the last 18 months, I worked with some amazingly talented people in their security practice. I remember asking, when I was first approached by their recruiter, “CDW does security consulting?”. Over my time in the practice, I had the opportunity to really drive market awareness of the practice in the security community as a whole. We always joke about this 20 year-old practice being the company’s best kept secret, and it’s true. However, it was my personal mission from the start to change that.

Alyssa giving a keynote speech
My role afforded me the opportunity to interact with business and security leaders in all new ways

My role afforded me the opportunity to interact with business and security leaders in all new ways. Not only did I speak at security conferences, I also was able to get in front of executive and industry specific audiences. Each opportunity allowed me to socialize new perspectives on how to solve the challenges around cyber security. Additionally, I interacted with so many wonderful people and forged new connections that I cherish greatly. I owe so much of my personal brand growth to my employer.

A Difficult Decision

It was a tough decision to leave my current role. I managed two teams of amazingly skilled individuals whom I care about very deeply. However, I believe they are in good hands. I have no doubt the security practice will continue to excel and bring value to their customers. Words cannot describe the honor of working with these wonderful people and helping coach them in their own career development. I’m looking forward to seeing all the great things each one of them will accomplish.

I have an extreme amount of respect for the organization I leave behind and all the good they have done and continue to do for the IT industry. It’s hard to leave a company when you know there is more you could accomplish there. However, I’ve got an exciting opportunity on the horizon that I simply could not say no to.

When appropriate, I will announce what my new opportunity is all about. For now, I wish to simply pause and reflect on all the great things I’ve been fortunate to accomplish as part of my current role. I’m going to enjoy the holidays and as the new year begins dive into something new and thrilling.

What Is a Hacker?

Reclaiming the Hacker Title, and Ending the Stereotypes

For some, the term hacker elicits images of a person wearing a black hoodie in a dark room working tirelessly on a computer. In other cases, connotations of criminal syndicates or nation-state attackers jump to mind. Unfortunately, thanks in part to media and entertainment portrayals of hackers, the reality is rarely understood. In fact, even formal descriptions of hackers tend to focus solely on their actions as the defining measure. In truth, the term hacker describes an identity. It refers to characteristics of how a person looks at problems and attempts to solve them.

Tattoo with GrrCON logo that says artists and inventors not criminals and freaks.
My tattoo from GrrCON ’14 with the phrase from Jayson Street’s keynote that have inspired me ever since.

In 2014, I attended a security conference called GrrCON. A well respected member of the security community, Jayson Street, gave a very powerful keynote speech. His discussion focused on the history of hackers and drove home the message that hackers are not criminals and freaks. Instead, we are artists and inventors. His discussion impacted me so greatly that I got a tattoo at the conference that emblazons those words on the back of my shoulder.

The Mysterious Hacker

When we think about computer hackers in particular, we think about the secretive nature of hackers. People operating in anonymity, using handles rather than their names, using private and sometimes obscure communications channels to share information. Especially in the early days of the internet, this was an accurate view of the hacker community. As a result, it only adds to the myth and mystique of hacker lore. Since hackers were seen as criminals, anonymity was a crucial tool in simply advancing their craft. While their motivations were often rooted in curiosity, law enforcement had very different opinions.

As with any growing community of people, a social order began to develop as well. Personalities clashed, competition often ensued with rival hackers seeking to establish their place among the most skilled by demonstrating proof of their latest hack. Sometimes they even attacked each other. Even today, many of these behaviors persist. There is a degree of fame and respect that is given to those that demonstrate extraordinary skills. But hackers are so much more.

Curiosity and Creativity

“What makes me a hacker is my unfettered, at times almost obsessive need to understand the inner workings of technology.”

Alyssa Miller

If you’ve spent any time on my site or social media pages, you know I identify myself as a hacker. While I’ve taken over domain admin accounts by passing hashes, gained command line access to web servers via poorly configured web applications, and even dumped the entire contents of databases using blind SQL injection vulnerabilities, these skills don’t make me a hacker. On the flip side, I’ve never discovered a 0-day vulnerability, never stolen money or data, and never gone to jail for my activities. These facts don’t make me any less of a hacker.

What makes me a hacker is something more intrinsic, something very integral to my very being. What makes me a hacker is my unfettered, at times almost obsessive need to understand the inner workings of technology. It’s an optimistic problem solving skill. Believing that anything can be changed or improved if I can just simply understand first how it functions.

Many hackers, myself included, will tell you that as children we took things apart. Driven by a curiosity to understand how technology worked, we learned through examination. This is a cognitive trait that shapes how we look at problems and solve complex issues. This, in my opinion, defines what makes a hacker a hacker.

Hackers and Ideology

Take a look at the interactions of hackers on social media or other forums and you’ll discover hackers are typically very idealistic. While we don’t all have the same values, more often than not, they are all rooted in positive motivations. Street, in his presentation, discussed Nikola Tesla as an early hacker. Tesla had a vision for supplying electricity to the world without cost. He built upon the discoveries of his peers and predecessors to develop new technologies. His inventions drive many of the technologies we’ve become dependent on today. He wanted everyone to take his works and use them and continue to improve them. However, due in part to businessmen with less noble values, Tesla died broke and alone. His inventions tied up with patents that prevented new innovations.

Hackers often look at the internet the same way, with very idealistic vision. Most place a great deal of value on the free exchange of ideas and information while also valuing privacy and individual liberty. Many of us work to make the internet more secure to help ensure that vision. Nowhere is this ideal more clearly displayed than at the various hacker conferences that occur every year. Tens of thousands of hackers come together in various venues around the globe in an effort to share our knowledge, our research, and our opinions on how to improve the technology of the world we live in.

Gate-keeping

Unfortunately, while many in the security community work to promote a more positive image of hackers, there are some who want to perpetuate the stereotypes. They prefer the mystique of clandestine individuals or groups that have the power, because of their skills, to disrupt society and the world. That image of the hacker culture is seen as cool and almost elitist in a way. As a result, some attempt to establish their position in the social order by trying to define who is worthy of being called a hacker. Usually the definition relies solely on the level of their skills or the novelty of the exploits they unearth.

This view is counter-productive to establishing a truly free exchange of ideas and knowledge. It serves to create cliques, toxic competitiveness, and secrecy that break down the ideals. Sure it’s part of where we came from as hackers. Yes, competition can be healthy and productive. But to be truly great as a community, we must be able to build off the work of others. We have to leverage the unique perspectives we each bring to the table and let those drive new ideas. That is how we become l33t.

You're Hired

Talent Shortage, Really?

Examining the disconnect between employers and job seekers in Security?

There is a lot of talk among business leaders about a critical shortage of cyber security talent. Many cite studies and surveys that provide context for just how big the problem has become. In fact, Cybersecurity Ventures predicted in 2017 that by 2021 nearly 3.5 Million security jobs will go unfilled. While this discussion is seemingly ubiquitous in the business world, there is another side to the story.

Interacting with the security community through social media, one quickly discovers that there are significant numbers of job seekers unable to find security jobs. In fact, I recently tweeted about a job opening that I have coming up. With roughly 4,200 followers, I had over 200 people send me direct messages expressing interest. After weeding out those who were clearly not fits, I still have a list of over 50 potential candidates. With that much interest from one tweet about one position, it seems odd that organizations are having a hard time finding candidates. This dissonance is so powerful that I personally call BS on the talent shortage. What we have is a talent disconnect, but why?

Job descriptions and unrealistic expectations

Browse the listings of security jobs and you’ll quickly see just how poor and unrealistic many of them are. In my own less-than-scientific research, I’ve noted a few of the more common issues:

  • Requirements for an overly broad range of expert-level skills beyond what any single human could possibly possess
  • Length of experience requirements that are not commensurate with the position (e.g., 6-8 years of security experience for a security analyst role)
  • Unrealistic salary ranges for a given title (e.g., a Senior Security Architect role with a salary range of $50,000-65,000)
  • Seeking impossible levels of experience in emerging technologies (e.g., 10 years experience with block chain technology)
Breaking it down

Let’s tackle these one at a time. Overly broad skills requirements often stem from building job descriptions like a wish list. The approach ends up being “we can’t have it all, but whoever checks the most boxes in this list is the one we choose”. There are two problems with this methodology. First, job seekers read those lists as hard requirements. The more items on the list they can’t check, the less likely they are to apply. Second, picking a candidate with broad knowledge but little depth may leave the organization in a bad position when deep technical expertise is needed.

Security related job descriptions are still new to many organizations. As such, they are often derived from other technical roles with similar titles. This can lead to a scenario where the length of experience being asked for does not match up to what the market would dictate for that level position. This same scenario can often lead to the seeking impossible levels of expertise. Ultimately, more time and analysis is needed from security leaders and Human Resources working together to develop market-aligned expectations.

One of the most frustrating issues isn’t always visible from the job description itself. When the salary range attached to a role is unrealistic in terms of market forces, both hiring managers and candidates are impacted. Candidates often go through multiple rounds of interviews before finding out the pay range is too low. They end up feeling like their time was wasted. In cases where initial screening interviews are used to match salary needs, the hiring manager will likely receive few qualified candidates options, resulting in further frustrations on their part.

Engaging the Security Community

Another common issue that seems to hamstring many recruiters is their inability to connect with the security community. Anyone who has security experience listed on their LinkedIn profile has likely gotten messages from recruiters. Commonly, recruiters will use one or two search criteria and match highly experienced candidates with entry-level or unrelated positions. The “hot” job market in security brings many non-technical recruiters out in search of security talent. The resulting credibility problems for recruiters in the security industry in particular creates a heavy divide.

Recruiters must overcome that credibility problem with a genuine understanding of the security landscape. Additionally, they must learn to engage security professionals through less traditional avenues. The best security recruiters have learned how to connect with the community via social media. They’ve learned how to have meaningful interactions on Twitter and are patient in their approach. It takes time, but recruiters who take time to learn security and develop long-term relationships with members of the security community find greater overall success in filling roles.

Breaking the mold

A side effect of interacting with the security community is that organizations will also shed their preconceptions of what security talent looks like. Sometimes there literally is a bias as far as the appearance of security professionals. Bold hair colors, visible tattoos, body piercings, and non-traditional fashions are very common among security experts. Meanwhile, the corporate world continues to shift at a glacial pace toward acceptance of such appearances.

Security and business leaders alike still carry heavy bias, albeit sometimes unconscious, against individual expression. Conformance to traditional standards is still sought and often to degree of disqualified otherwise highly qualified candidates. Managers hiring for security positions (or any positions for that matter) need to understand this and move beyond their preconceived images.

Incubating talent

I find it particularly frustrating how little foresight organizations put into developing security expertise in their current staff. As digital transformation trends continue, security has to be a part of every phase of our business. So why then don’t leaders look to groom security expertise in all business functions? Imagine a world where every team from accounting to finance to development was required to have security expertise.

An approach like this has multiple benefits. First and foremost, it begins developing a culture in which security is always a consideration. No longer do we allow admin or operational groups to fly under the radar of security considerations. Second, these resources now become an internal pool of candidates from which security-focused positions can be filled. Essentially, it becomes an incubator of security talent. Third, this type of investment in employees also helps combat turnover. Employees are able to develop marketable skills that give them a clear path for advancement or new challenges.

Obviously, this type of approach requires executive level buy-in and support. Business and support functions will be reluctant to dedicate portions of their budgets to training in skills they see as unrelated to their purpose. However, at an executive level, when the cost of training is weighed against recruiting costs, turnover costs, cost-of-vacancy, and third party services expenses, the business case is easy to build. Organizations must stop relying on someone else to develop security talent and instead they must take an active role in the process.

Bridging the gap

Is the idea of a talent shortage truly false? It’s hard for anyone to say for sure. However, the way organizations search for and cultivate talent clearly contributes to the problem. We’re seeing a shifting of the tides in terms of how security talent and hiring firms come together, but there’s still a massive gap. To those of us active in the community, that disconnect is very visible everyday.

Conquering Impostor Syndrome

Recognize that you bring value to the discussion and be heard

One of the things I’ve always found incredible about the security community is the commitment to openly sharing information and discoveries. We have countless conferences, discussion medium, and publications devoted to sharing security related works. However, for many, seeing the massive contributions of others invokes a level of anxiety when seeking to establish they’re own contributions. The infamous impostor syndrome rears its ugly head and hold people back from getting involved.

My first experience with impostor syndrome

Woman hiding her eyes behind her braided hair
Photo by Sharon McCutcheon on Unsplash

My memories of my first experience with impostor syndrome are very clear. I was working as a Managing Consultant for a security firm and at that point had been in security as a penetration tester for eight years. While I had thought about speaking at a security conference on occasion but never really considered it a realistic goal. That is, until my director and a sales person encouraged me to submit a talk to a local conference our company was sponsoring.

I agreed, after all it was my boss telling me I should do this; and yet I was scared to death. I had seen some of the biggest names in our industry on stage at conferences, I had seen 0-day exploits announced at DEFCON, and here I was with nothing of the sort to contribute. Who am I to speak at anything? If I get accepted, they’ll all see that I’m just an average person and I’ll get laughed off the stage. All these thoughts went through my head, but I had to push through and create a talk, so that’s just what I did.

I had just come off a string of three separate application assessments where I had discovered various issues in OAuth2 implementations that created some significant vulnerabilities. I decided to put together a talk to discuss the proper implementation of OAuth2 and common failures that led to exploits. The talk got accepted, I delivered it (to a surprisingly full room), and I got some great feedback afterward.

A week or so later, I received a link with the video of my talk. I provided it to my director who suggested I send it out to our entire AppSec practice. While I received a number of gracious emails, the one that stood out in my mind came from a principal consultant who had spoken at a few conferences, including as part of a group at BlackHat USA. His response read, “A lot of hand waving here, nothing new or informative being shared”.

I was crushed. This was what I feared the most. An experienced conference speaker telling me my talk wasn’t worthy. I ignored all the good feedback I got at the conference, all the great emails I got from other consultants on our team, and I allowed this one email to confirm in my mind that I was a fraud.

Thankfully my director was an amazing leader who knew how to motivate me and he helped me see the truth. He pointed out how the email I got came from a consultant who himself was insecure and felt like an impostor. He helped me see the value of my talk and encouraged me to continue speaking. And that I have. I now speak regularly at conferences, and while I still have my bouts with impostor syndrome, I don’t let it hold me back. So I wanted to share some steps I’ve learned about how to overcome these feelings.

What causes impostor syndrome?

I’ve done a lot of self reflection on this along with a lot of reading and research. What I’ve found is that impostor syndrome is ultimately the result of feeling like one doesn’t belong. It’s this feeling that we’ve somehow stepped into a world where we are not like those around us and we’re somehow inferior as a result. When we perceive that the people around us are far more experienced, talented, or qualified than we are, those feelings come to the surface. For people in under-represented groups like people-of-color, women, those with disabilities, or LGBTQ+, the problems can be compounded since we can struggle to identify with our peers.

The problem stems from how we identify ourselves. We begin to establish our identity through labels when we are very young. Age, gender, race, job titles, etc. all play into how we identify who we are. We label others and often compare our labels with them. This is how social groups form. So when we follow a course of action in which we perceive that we’re stepping outside of those labels, our anxieties kick in. We fear that someone will figure out that we don’t wear that arbitrary label we’ve given them and they’ll see us as a fraud, that they’ll look at us and point us out as not a member of their group.

This is a very natural phenomenon in human social interactions. We place labels and gravitate toward those who we perceive as sharing the same labels we give ourselves. So how do we break down the barriers we place on ourselves? The following is the process I’ve come up with through my own self-analysis and research.

Acknowledge and combat those feelings

As you might suspect, the first step in overcoming the anxieties of impostor syndrome is to simply recognize that this is what we’re experiencing and combat it. When we begin to feel those fears, it’s important to look at those feelings and identify where they come from. How does the fear you’re experiencing related to a feeling of not belonging? Personally, I take a mental inventory of those.

The key to combating them is objectively identifying the positive accomplishments we’ve experienced. Those positive comments and emails I received were a perfect example. So find those elements, but be careful. Do this objectively. Do not assign a relative value to them, just simply acknowledge and appreciate them.

Let the feelings go

Once you’ve identified your feelings and where they come from, you can start to let them go. Sometimes what you feel will be tied to things you simply cannot control, like your gender, race, etc. Understand that those are not characteristics that impact your qualifications and so don’t allow them to make you feel inadequate.

Also recognize those feelings that result from comparing yourself to others. Humans fall into the trap of measuring our talents and skills in comparison to others. However, that’s not a valid way to measure. Instead, see your qualifications as an objective measure, you have certain skills or you don’t. When you find that feelings of inadequacy are the result of such comparisons, trust that they’re not an accurate measure of your abilities and let them go.

Analyze your process of success

Look back at where you’ve been. How did you get to where you are today? Did you just have one success after the next without experiencing challenges and failures? If you’re honest with yourself, the answer is no. Thomas Edison did not invent a working light bulb on his first attempt. Stop holding yourself to that standard. Those challenges and failures are how you learned and developed your skills. Accept them, be proud of them, and understand that you’ll experience more of them in your future and that is a good thing.

Set objective goals and measurements

Identify the goals you have in attempting what it is you’ve set out to do. If you’re thinking about speaking at a conference, perhaps your goal is to share information about some research you did. It may seem corny, but list those goals and how you plan to measure them. Then look back. Are they based on others’ reactions, feelings, etc? If so, those are not objective goals because they’re based on your perception of someone else’s feelings. So re-frame them into something that focuses solely on you and something that you can objectively measure. This ensures that when you accomplish those goals, you’ll be able to recognize it and celebrate it. It prevents you from letting feelings downplay the great things you achieve.

Everyone experiences impostor syndrome

Finally, understand and accept that everyone has these feelings from time to time. I’ve talked to some of my idols who tell me often of their own experiences of feeling “out of their league”. It’s in pushing ourselves to exist beyond our labels that we grow and conquer obstacles. That’s how each of us becomes great.

Accept that it’s OK not to know all the answers and that if you did, it would mean you’re not pushing yourself hard enough. Have faith that it is not only acceptable to reach out for help, but that this is actually an effective tool. It gives you the opportunity to get others’ perspectives and challenge your own biases on the topic. It is also a chance to establish relationships with others who may actually be fascinated by the work you’re doing.

In the end, we all build off of each others’ works. Collaboration drives the continued growth of our collective community. So rather than convince yourself that asking for help makes you less, embrace it as part of the process.

These are the steps that have worked for me and that I’ve found corroborated in other research I’ve done. Hopefully some of this resonates with you and is helpful. I’d love to see some comments from others on what has worked for you that I’ve not included above.

Powered by WordPress & Theme by Anders Norén